Summary: | <net-nds/openldap-2.4.24: security bypass (CVE-2011-{1024,1025,1081}) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Paweł Hajdan, Jr. (RETIRED) <phajdan.jr> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | ldap-bugs |
Priority: | High | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://secunia.com/advisories/43331/ | ||
Whiteboard: | B3 [glsa] | ||
Package list: | Runtime testing required: | --- |
Description
Paweł Hajdan, Jr. (RETIRED)
2011-02-17 15:50:39 UTC
ebuild added now. Thank you. Arches, please stabilize =net-nds/openldap-2.4.24 Tested on SPARC, all tests passed. Please stabilise. Thanks Alex. Stable for HPPA SPARC. I think the two blocking bugs are not as important as the security fix that the new release brings. So amd64 done. The maintainer can fix the QA problems a bit later ppc/ppc64 stable x86 stable, agreed minor QA issues shouldn't block security stabilization CVE assignment per http://www.openwall.com/lists/oss-security/2011/02/25/13: > http://www.openldap.org/its/index.cgi/Software%20Bugs?id=6607 CVE-2011-1024 openldap forwarded bind failure messages cause success > http://www.openldap.org/its/index.cgi/Software%20Bugs?id=6661 CVE-2011-1025 openldap rootpw is not verified with slapd.conf alpha/arm/ia64/s390/sh stable Thanks, folks. GLSA Vote: yes. Looks like http://www.openldap.org/its/index.cgi/Software Bugs?id=6768 was also fixed here. This is CVE-2011-1081 per http://www.openwall.com/lists/oss-security/2011/03/01/15. CVE-2011-1081 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1081): modrdn.c in slapd in OpenLDAP 2.4.x before 2.4.24 allows remote attackers to cause a denial of service (daemon crash) via a relative Distinguished Name (DN) modification request (aka MODRDN operation) that contains an empty value for the OldDN field. CVE-2011-1025 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1025): bind.cpp in back-ndb in OpenLDAP 2.4.x before 2.4.24 does not require authentication for the root Distinguished Name (DN), which allows remote attackers to bypass intended access restrictions via an arbitrary password. CVE-2011-1024 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1024): chain.c in back-ldap in OpenLDAP 2.4.x before 2.4.24, when a master-slave configuration with a chain overlay and ppolicy_forward_updates (aka authentication-failure forwarding) is used, allows remote authenticated users to bypass external-program authentication by sending an invalid password to a slave server. @ldap-bugs Please remove vulnerable version from the tree. No. We still support the 2.3 series for users that cannot migrate to 2.4 (mainly if they are still using slurpd replication). Vote: YES. Added to pending GLSA request. This issue was resolved and addressed in GLSA 201406-36 at http://security.gentoo.org/glsa/glsa-201406-36.xml by GLSA coordinator Yury German (BlueKnight). |